Sunday, January 17, 2010

Who are you today?

Our current model of identity online is a poor representation of how we manage identity in the real world. As mass participation becomes ubiquitous, and the web becomes one of our primary social and political environments, we need to do better. Multiple identities, pseudonymity, anonymity and credibility are necessary aspects - a fundamental part of how we should be managing identity on the web. Most importantly, public participation in government needs a unified mechanism for managing these things. I'll propose the basis for a mechanism that supports this - one that reconciles the desire for multiple identities with the hassle of multiple logins.

Before starting, it's necessary to highlight a series of blogs about online identity by Andy Oram. He does an excellent job of assessing the landscape - the coverage is extensive and well researched. One key observation he makes is that our online identity is becoming more unified rather than fragmented. This is true, but it is happening because we are engineering identity management to achieve this - not because this unification is a natural expression of our human nature.

[Sherry Turkle] claims that we do maintain multiple online identities, and that this is no simple game but reflects a growing tendency for us to have multiple selves. The fragmentary and divided presentation of self online reflects the truth about ourselves, more than we usually acknowledge.

It's not a strange multiple personality disorder that we're all afflicted with - it's simple human nature. We can think of our society as a complex multi-dimensional venn diagram, where each person's perception of their identity is represented by a single circular region, and intersections between these regions represent groups. We see this all the time in our personal relationships - there are obvious differences between how our partner, family, friends and colleagues understand us, and what information we are prepared to offer them. We maintain all of these relationships - we keep information from some people while providing it to others, and people sometimes make stuff up. It's not some nefarious deceit - it's just a fundamental part of the way humans manage relationships.

We see regular evidence of this human behaviour online. We attempt to keep professional and social associations separate on Linked-in and Facebook. We experience discomfort when 'friended' on Facebook by people we don't consider friends. Obviously the boundaries vary greatly for each person and within each group, but that's part of the point - everybody is different, everybody creates boundaries where they are comfortable, and not everybody is a friend. The push to make us all singularly open creates weird fantasy lands - just what you would expect in the real world if we were only able to expose a single identity - the minimum intersection that is comfortable in every context.

An unfortunate aspect of this is that our uniqueness, our creativity, our gravitas even, is often best represented by the parts of us that intersect the least. This is regularly the best expression of who we really are, what drives us, and what makes us unique individuals. We have many real world identities - subsets, intersections and mutual exclusions - all of them constantly moving. It seems utterly counter-intuitive to me that we should be engineering our online world to bring all the regional intersections of our social venn diagram into alignment. Unless we are trying to model something different to real-world identity, then we're doing it wrong.

Tim O'Reilly noted that 'It's not a matter of perfect intelligence and perfect stupidity, its a matter of a mixture of intelligence and stupidity, of brilliance and idiocy all in the same brain, of failures of will, failures of virtue, failures of goodness, at the same time as enormous heroism, enormous accomplishment - all these things are going to be true of internet applications, just as it is true of individuals'. We need to embrace our humanity, and recognise that the quest for our one true, homogenous and palatable internet identity is just an insidious endeavour in global groupthink.

Multiple identities online give us new opportunities for self expression as well - providing the capability to publicly explore elements of our psyche that we would otherwise keep private. Some of that will be roughly hewn rubbish, it's true, but the key here is that the internet provides new opportunities to be comfortable with being wrong. If we are anonymous, we need not fear rejection. This is important, because the idea of 'fail fast' is one that we know to reap rewards. Allowing multiple identities gives us new opportunities to fail fast as individuals, and, on rare occasions, to succeed fast. Either way it's a win-win situation. It's not just the identity owner who benefits - if we enable more fail-fast behaviour, for individuals and groups, then society as a whole benefits enormously.

How can we engineer support for multiple identities?

Whether or not you agree with the argument for multiple identities, a mechanism for achieving it is reasonably obvious. If we see the internet operating system emerging, then we should need to log in once with an identity provider, and have the opportunity to switch profiles at will. Each application in the operating system sees a profile as an identity, and only the identity provider maintains the information that associates profiles. It's up to me whether I want one or many profiles. It's my responsibility to take as little or as much care as I like to keep these worlds logically separate from each other. I get to define how much information about my true identity is revealed in a particular profile. If I only want one profile, then usage would be identical to our current experience. It's fairly simple, and it's a better match for the reality of how we manage identity in the real world.

It's understandable that we don't have this today1 - but we shouldn't kid ourselves that what we do have is a good representation of how we manage identity in the real world. Sometimes we seem to be working on the assumption that human nature should be changed rather than modelled [Mark Zuckerberg][Eric Schmidt]. Looking at the Apple Human Interface Guidelines for some perspective on this is quite helpful -

To help you discover the mental models people associate with your product’s tasks, look at how they perform similar tasks without a computer... Design your product to reflect these things, but don’t insist on replicating each step a user might take when performing the task without a computer. Take advantage of the inherent strengths of the computing environment to make the whole process easier or more streamlined.

Obvious stuff, and it not only highlights that we should be modelling the way people do things in the real world, but that we should be seeking improved facilitation of this behaviour.

Additional considerations with this approach

It might be argued that people maintaining multiple identities is a hassle for the authorities. However like most things, regulation and control is a better solution for something that people will undertake regardless of the authorities' position. A key element of the above solution is that an identity provider maintains the relationship between profiles, and can correlate this to a single login. A profile can be provided to an application with data that only the identity provider can use to perform this correlation. It's easier to regulate and control. I'm not suggesting people would cease to create multiple logins, but we would observe some separation between those who manage multiple identities for reasons of self expression, and those who do so for nefarious purposes. Of course there are many legitimate reasons why someone might not want any linking information to be stored, and I'll explore that scenario below when looking at 'true anonymity'.

The risk of unauthorised access at the identity provider is real, as is hacker activity. These represent the greatest risk to identity management in general, but especially maintenance of separate identities. It seems clear to me, however, that as identity provision becomes standardised, and its importance better understood, the need for security and enforcement against such breaches will become more obvious and more regulated. The role of identity provider will increasingly become one which carries significant responsibility and users will choose an identity provider on the basis of how they perceive the security they offer. As we enter the world of public participation in government, many aspects of identity management will become increasingly necessary - the need for regulation, trust, verifiability and credibility will all see an increase in importance.

Credibility

Credibility is something that we know is necessary for online activities that require trust. No one likes a zero star seller. With the identity management solution outlined above, we get new opportunities for managing credibility - especially if this is something maintained by the identity provider. For example, e-bay could specify that their reputation is transferable between user identities - so that no matter which profile we enter e-bay with, we retain a common reputation score. Conversely, a forum might specify that reputation is not transferrable. This leads to yet another interesting possibility - the capacity to merge profiles. If you have been posting on a forum with multiple profiles, you might choose to combine them, and with such a merger deliver increased (or decreased) reputation to the new identity.

One of the arguments against multiple identities is that it generates a lot of noise - people being antagonistic, offensive or just spouting rubbish with no requirement to own up to these contributions. Using a credibility mechanism provides an excellent tool for managing this problem. A profile with low credibility (such as one that is newly created, or often marked down) can be easily distinguished from one with high credibility. It would generally be in the user's interest to improve the credibility of the profiles that they use. Credibility metrics are a critical example of how we can achieve additional benefits in online identity management.

Verifiability is a part of credibility, but it has some interesting additional aspects. An identity provider could offer the means for you to verify that you are you. If you provided your passport or driver's licence, then the identity provider could indicate this increased confidence in each of your profiles by increasing your credibility. In something like participation in government - the fact that you have this kind of credibility could be a requirement for participation in some forums. Something similar could be achieved for qualifications. This mechanism would also provide significant protection against online identity theft. I'm not proposing that this should be a requirement for having an online identity, but would represent a legitimate option for improving credibility.

Plenty of other credibility management opportunities exist, particularly around endorsement by others - but the basic argument is that delivery of a mechanism for managing credibility - one that can span the entire user or individual profiles and apply both in individual applications and universally - is a basic and necessary part of participation on the web.

What about Gov 2.0?

Gadi Ben-Yahuda provided some good analysis of the role of anonymity in Gov 2.0, observing that there are pro's and con's. He concluded that we do need to reveal our true identity to contribute to online government, and constructed a useful scale of escalating disclosure on the basis that the more influence you have, the less private you should be. He concluded that participation in Gov 2.0 required scrutiny a little greater than we would expect when speaking at a town-hall. However, it's a one-size-fits-all observation - Gov 2.0 should enable us to participate at all the levels he identified and more in between. With the ability to maintain multiple online identities, we can achieve this relatively easily, providing the user with the means to reveal only what is required by the particular forum. This is a great application of the human interface guidelines - we can deliver a better outcome by taking advantage of the strengths of the computer environment.

His main argument in support of anonymity is that it allows the speaker to be completely truthful - they don't need to fear personal repercussions for saying what they really think. It's important to observe that this is the primary reason why we vote anonymously. Not only that, but it's considered rude to expect someone to tell you how they voted. It's a critical example of the need for anonymity in real world government processes.

True Anonymity

The Electronic Frontier Foundation makes a number of good points on the role of anonymity, especially in relation to government and politics. The statement highlights the fact that we need secure anonymity. They argue that you will only say what you think if you feel confident that your anonymity can be preserved. Clearly if an identity provider maintains the relationship between your profiles, and provides trackable information to an application (even though the application itself cannot use it), then there is no such guarantee.

For true anonymity to work, the identity provider must deliver an anonymous profile to the application - one that does not contain information to link back to the user id at the identity provider. You might maintain many anonymous profiles, and provide as much or as little information as you liked - your credibility, your country of residence, even your postcode - the key is that the application isn't given the specific identifying information needed to trace back to your account at the identity provider. Obviously if you gave up too much information in your anonymous profile, then deduction might be sufficient to identify you - but that is a risk for the user to manage. Also, there would be no way for credibility to be affected by contributions made anonymously, but providing your base credibility with the anonymous profile might be considered useful in some contexts. It is important to recognise that we can achieve 'true anonymity' while still providing information that is trustable, and might be required in a particular forum.

Another consideration is that delivering true anonymity would need to be reconciled with the authorities' desire to track internet usage against real identities - a battle which the EFF and governments are fighting on a daily basis. It's not necessary to open this can of worms here - just to observe that there is no technical reason why true anonymity cannot be supported. Even more importantly, if we want to realise all the benefits that Gov 2.0 can offer, then we need to support it.

Conclusions

Andrea di Maio said we need to balance the desire of government to get closer to citizens while respecting their desire and right to privacy. It's worth highlighting that the converse is also true - we need to balance the desire of citizens to get closer to government while respecting their desire and right to privacy. Citizens shouldn't be required to reveal more than is necessary - precisely because the most important thing is knowing what people really think. Effectively managing multiple identities and anonymity is a major facilitator in lowering the barriers to participation in government.

We are correct to strive for a one-to-one relationship between our physical self and our internet login, but mistaken to extend that to the relationship between our login and our online presence. I've offered a rough outline for a solution, and looked at some of the opportunities and risks. It's true that our current software infrastructure would struggle to realise this vision, but it's a simple argument - if people are creating multiple identities online and will continue to do so, and if the benefits are clear, then why aren't we modelling this behaviour properly with online identity? The social web must enable us, not constrain us.

UPDATE 18/01/10: It seems I missed the Open Identity For Government initiative while researching this post. I'm not sure how I managed that, but there it is. The initiative is high profile, wide ranging, and highly relevant to this discussion. It's based around OpenID & Information Cards, and provides many of the technical elements of my suggested solution - specifically: true anonymity with verifiability, pseudonyms, limiting personal information depending on the forum, centralised management at a trusted identity provider and strong regulation at the identity provider. The system also offers the ability to maintain multiple identities, although aspects such as identity merging & portable credibility do not seem to be supported. The initiative is, however, a great basis on which to build these elements, as it represents an ideal subset of my proposal. From another perspective this post represents an independent thought stream that reached the same conclusions, and provides plenty of meat for going beyond their proposal. In any case, apologies for the research gap - at least I found it before someone pointed it out to me :) I'm really excited by the direction that the Open Identity Initiative is taking. It looks like we're doing it right after all!

1. There is some recognition of this concept in OpenID, with a 'personas' feature allowing you to maintain different sets of information with a single OpenID. It's heading in the right direction, but it's an optional registration extension, and only implemented by a few identity providers (e.g. myOpenID). It is only utilised when registering with a service provider (application), and certainly not something the service provider needs to be aware of. The OpenID specification itself has very few references to the concept - simply describing the feature as

'A subset of the user's identity data. A user can have multiple personas as part of their identity. For example, a user might have a work persona and a home persona.'

It's ineffective for maintaining multiple identities in the manner I have described for a number of reasons, but primarily because each persona is a subset of the same data set, and secondly because there is no mechanism or requirement for the service provider to recognise separate personas. One reason for this is that it would be considered too big a job to add this support to all of the applications on the internet. However I think if you saw a few major providers - Google, Facebook etc. - doing so, smaller players would begin to support it as well. Another reason might be the added complexity to users - 'I know about username and password - what's this new persona thing'? However it would be simple to hide the persona features using a default persona, and making that the standard behaviour - the usage flow would remain unchanged for those that don't use the feature. A user need not even be aware the feature exists.